Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload endpoint (distinct from CVE-2026-33017)
TL;DR
CVE-2026-5027 (CVSS 8.8) — Langflow's file-upload endpoint (POST /api/v2/files) accepts a caller-controlled filename parameter with no path sanitization. An unauthenticated attacker (Langflow auto-login is enabled by default) can write arbitrary files to arbitrary paths on the server filesystem → remote code execution. This is a distinct vulnerability from CVE-2026-33017 (the earlier flow-build RCE that reached CISA KEV). Approximately 7,000 Langflow instances were internet-facing at the time of disclosure; the flaw was being actively exploited in the wild at time of publication. Fixed in Langflow 1.10.0 (addressed in 1.9.0 on 2026-04-15).
What happened
Langflow is a popular visual drag-and-drop AI agent/workflow builder built on LangChain. It is widely deployed by vibe coders to orchestrate multi-step AI pipelines with LLM integrations, database connections, and tool calls.
In June 2026, researchers disclosed CVE-2026-5027: a path traversal vulnerability in the POST /api/v2/files endpoint. The filename field in the multipart upload request was not sanitized — an attacker could supply a filename like ../../../../../../etc/cron.d/backdoor and write content to arbitrary filesystem paths.
Why this is unauthenticated by default: Langflow ships with auto-login enabled — no credentials are required for API access unless an administrator explicitly enables authentication. The vast majority of self-hosted Langflow instances use the default configuration.
RCE path: Writing a malicious Python module to a path inside Langflow's site-packages/ directory, or overwriting a .pth file (Python path hook) in site-packages/, causes the payload to execute at Langflow's next startup or next import. Alternatively, writing to /etc/cron.d/ (Linux) achieves scheduled persistence.
Relationship to CVE-2026-33017:
| CVE-2026-33017 | CVE-2026-5027 | |
|---|---|---|
| Disclosed | March 2026 | June 2026 |
| Endpoint | Flow build/execution endpoint | /api/v2/files file upload |
| Root cause | Code injection via flow node execution | Path traversal in filename parameter |
| CVSS | 9.8 (Critical) | 8.8 (High) |
| CISA KEV | Yes | No (at time of writing) |
| Fixed version | 1.4.0 / 1.3.6 | 1.10.0 (addressed 1.9.0) |
Both CVEs are independently exploitable and both are actively exploited in the wild. Patching for CVE-2026-33017 does not protect against CVE-2026-5027.
Scale: Approximately 7,000 Langflow instances were estimated to be internet-facing at the time of disclosure. Active exploitation indicators were reported by threat intelligence feeds.
Am I affected?
# Check your Langflow version
pip show langflow 2>/dev/null | grep Version
langflow --version 2>/dev/null
# Check if auto-login is enabled (default: true)
cat ~/.langflow/.env 2>/dev/null | grep -i auto_login
# or check the Langflow startup config
# Check if the endpoint is reachable from the internet
curl -s http://localhost:7860/api/v2/files -X OPTIONS 2>/dev/null
You are affected if: 1. You run Langflow < 1.10.0 (or < 1.9.0 if you have been patched since April 15, 2026) 2. Your Langflow instance is reachable from the public internet or from any untrusted network
If auto-login is enabled (the default), no authentication is required to exploit this.
IOCs
| Type | Value |
|---|---|
| CVE | CVE-2026-5027 |
| CVSS | 8.8 (High) |
| Affected versions | Langflow < 1.9.0 |
| Fixed version | Langflow 1.9.0 (2026-04-15) / 1.10.0 |
| Vulnerable endpoint | POST /api/v2/files |
| Attack vector | filename parameter path traversal |
| Authentication required | No (auto-login enabled by default) |
| Exploitation status | Actively exploited in the wild |
| Estimated exposed instances | ~7,000 |
| Related CVE | CVE-2026-33017 (distinct; both actively exploited) |
If you are affected
- Upgrade Langflow to 1.10.0 immediately. This is the cleanest fix; 1.9.0 addressed the file-upload path traversal but 1.10.0 includes additional hardening.
- Treat the host as compromised if you ran Langflow < 1.9.0 while internet-facing. Assume arbitrary files were written.
- Audit the filesystem for unexpected files in
site-packages/,/etc/cron.d/,/tmp/, or Langflow's working directory. Look for.pthfiles added since March 2026. - Rotate all credentials accessible from the Langflow host — LLM API keys, cloud IAM credentials, database passwords, and any secrets in Langflow's configured integrations.
- Enable authentication in Langflow (
AUTO_LOGIN=falseand configure OAuth/email auth) — do not rely on network isolation alone. - Firewall the port (
7860by default) — Langflow should not be directly internet-facing without a reverse proxy + authentication layer. - See playbooks/rotating-cloud-credentials.md.
Prevention
- Enable authentication: Set
AUTO_LOGIN=falsein Langflow's environment and configure user authentication. All vibe-coded Langflow instances should require credentials. - Never expose Langflow directly to the internet. Use a reverse proxy (nginx/Caddy/Cloudflare Tunnel) with authentication in front of it.
- Pin to a release and update promptly. Langflow has had two independently-exploited CVEs in three months (March + June 2026). Subscribe to langflow-ai/langflow release notifications.
- Treat disclosure-to-exploit as < 24 hours for any AI-framework CVE. The LiteLLM and PraisonAI baselines confirm this cadence.
- → prevention/agent-sandboxing.md
Sources
- The Hacker News — CVE-2026-5027: Langflow Path Traversal Lets Attackers Write Files via Upload Endpoint — primary disclosure; path traversal; auto-login default; 7,000 exposed instances; active exploitation.
- BleepingComputer — New Langflow Flaw CVE-2026-5027 Exploited in the Wild, Distinct from March CVE-2026-33017 — distinction from prior CVE; attack timeline; RCE path.
- SecurityWeek — Langflow Vulnerability CVE-2026-5027 Actively Exploited, Patch to 1.10.0 — CVSS score; exploitation confirmation; fix version.
- CybersecurityNews — Langflow RCE Via File Upload Path Traversal (CVE-2026-5027): Thousands of Instances at Risk — exposure scale; endpoint detail.
- NVD — CVE-2026-5027 — canonical CVE record; CVSS 8.8.
- Cross-link: Langflow CVE-2026-33017 RCE (March 2026) — prior actively-exploited Langflow CVE; both are independently in the wild.